Total
4644 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33268 | 1 Dts | 1 Monitoring | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue was discovered in DTS Monitoring 3.57.0. The parameter port within the SSL Certificate check function is vulnerable to OS command injection (blind). | |||||
| CVE-2023-33239 | 1 Moxa | 4 Tn-4900, Tn-4900 Firmware, Tn-5900 and 1 more | 2024-11-21 | N/A | 8.8 HIGH |
| TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. This vulnerability stems from insufficient input validation in the key-generation function, which could potentially allow malicious users to execute remote code on affected devices. | |||||
| CVE-2023-33238 | 1 Moxa | 4 Tn-4900, Tn-4900 Firmware, Tn-5900 and 1 more | 2024-11-21 | N/A | 7.2 HIGH |
| TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. This vulnerability stems from inadequate input validation in the certificate management function, which could potentially allow malicious users to execute remote code on affected devices. | |||||
| CVE-2023-33013 | 1 Zyxel | 2 Nbg6604, Nbg6604 Firmware | 2024-11-21 | N/A | 8.8 HIGH |
| A post-authentication command injection vulnerability in the NTP feature of Zyxel NBG6604 firmware version V1.01(ABIR.1)C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request. | |||||
| CVE-2023-33012 | 1 Zyxel | 44 Usg 20w-vpn, Usg 20w-vpn Firmware, Usg 2200-vpn and 41 more | 2024-11-21 | N/A | 8.8 HIGH |
| A command injection vulnerability in the configuration parser of the Zyxel ATP series firmware versions 5.10 through 5.36 Patch 2, USG FLEX series firmware versions 5.00 through 5.36 Patch 2, USG FLEX 50(W) series firmware versions 5.10 through 5.36 Patch 2, USG20(W)-VPN series firmware versions 5.10 through 5.36 Patch 2, and VPN series firmware versions 5.00 through 5.36 Patch 2, could allow an unauthenticated, LAN-based attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled. | |||||
| CVE-2023-32976 | 1 Qnap | 1 Container Station | 2024-11-21 | N/A | 6.6 MEDIUM |
| An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network. We have already fixed the vulnerability in the following version: Container Station 2.6.7.44 and later | |||||
| CVE-2023-32350 | 1 Teltonika-networks | 36 Rut200, Rut200 Firmware, Rut240 and 33 more | 2024-11-21 | N/A | 8.0 HIGH |
| Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload. | |||||
| CVE-2023-31209 | 2 Checkmk, Tribe29 | 2 Checkmk, Checkmk | 2024-11-21 | N/A | 8.8 HIGH |
| Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users. | |||||
| CVE-2023-31188 | 1 Tp-link | 4 Archer C50 V3, Archer C50 V3 Firmware, Archer C55 and 1 more | 2024-11-21 | N/A | 8.0 HIGH |
| Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505', Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506', and Archer C20 firmware versions prior to 'Archer C20(JP)_V1_230616'. | |||||
| CVE-2023-31037 | 1 Nvidia | 4 Bluefield 2 Ga, Bluefield 2 Lts, Bluefield 3 Ga and 1 more | 2024-11-21 | N/A | 7.2 HIGH |
| NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. A successful exploit of this vulnerability may lead to code execution on the OS. | |||||
| CVE-2023-30854 | 1 Wwbn | 1 Avideo | 2024-11-21 | N/A | 8.8 HIGH |
| AVideo is an open source video platform. Prior to version 12.4, an OS Command Injection vulnerability in an authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. This issue is fixed in version 12.4. | |||||
| CVE-2023-30806 | 1 Sangfor | 1 Next-gen Application Firewall | 2024-11-21 | N/A | 9.8 CRITICAL |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to mishandling of shell meta-characters in the PHPSESSID cookie. | |||||
| CVE-2023-30805 | 1 Sangfor | 1 Next-gen Application Firewall | 2024-11-21 | N/A | 9.8 CRITICAL |
| The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /LogInOut.php endpoint. This is due to mishandling of shell meta-characters in the "un" parameter. | |||||
| CVE-2023-30628 | 1 Kiwitcms | 1 Kiwi Tcms | 2024-11-21 | N/A | 8.8 HIGH |
| Kiwi TCMS is an open source test management system. In kiwitcms/Kiwi v12.2 and prior and kiwitcms/enterprise v12.2 and prior, the `changelog.yml` workflow is vulnerable to command injection attacks because of using an untrusted `github.head_ref` field. The `github.head_ref` value is an attacker-controlled value. Assigning the value to `zzz";echo${IFS}"hello";#` can lead to command injection. Since the permission is not restricted, the attacker has a write-access to the repository. Commit 834c86dfd1b2492ccad7ebbfd6304bfec895fed2 of the kiwitcms/Kiwi repository and commit e39f7e156fdaf6fec09a15ea6f4e8fec8cdbf751 of the kiwitcms/enterprise repository contain a fix for this issue. | |||||
| CVE-2023-30621 | 1 Gipsy Project | 1 Gipsy | 2024-11-21 | N/A | 9.8 CRITICAL |
| Gipsy is a multi-purpose discord bot which aim to be as modular and user-friendly as possible. In versions prior to 1.3 users can run command on the host machine with sudoer permission. The `!ping` command when provided with an IP or hostname used to run a bash `ping <IP>` without verification that the IP or hostname was legitimate. This command was executed with root permissions and may lead to arbitrary command injection on the host server. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-30261 | 1 Openwb | 1 Openwb | 2024-11-21 | N/A | 9.8 CRITICAL |
| Command Injection vulnerability in OpenWB 1.6 and 1.7 allows remote attackers to run arbitrary commands via crafted GET request. | |||||
| CVE-2023-2625 | 1 Abb | 2 Txpert Hub Coretec 4, Txpert Hub Coretec 4 Firmware | 2024-11-21 | N/A | 9.0 CRITICAL |
| A vulnerability exists that can be exploited by an authenticated client that is connected to the same network segment as the CoreTec 4, having any level of access VIEWER to ADMIN. To exploit the vulnerability the attacker can inject shell commands through a particular field of the web user interface that will be executed by the system. | |||||
| CVE-2023-2564 | 1 Scanservjs Project | 1 Scanservjs | 2024-11-21 | N/A | 10.0 CRITICAL |
| OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0. | |||||
| CVE-2023-2522 | 1 Feiyuxing | 2 Vec40g, Vec40g Firmware | 2024-11-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Chengdu VEC40G 3.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /send_order.cgi?parameter=access_detect of the component Network Detection. The manipulation of the argument COUNT with the input 3 | netstat -an leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228013 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-2479 | 1 Appium | 1 Appium-desktop | 2024-11-21 | N/A | 9.8 CRITICAL |
| OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4. | |||||